ramnit | d870fdcd3d965af99b963ecb78f461f7af29741e15dec10422d0773d92102da3

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f69bf9a22ec4cd9cac60d64ea2ddeff_JaffaCakes118.dll
Size

248KB
MD5

0f69bf9a22ec4cd9cac60d64ea2ddeff
SHA1

57d6edaf2914710bbe57fb886e8dbb43ff6c473e
SHA256

d870fdcd3d965af99b963ecb78f461f7af29741e15dec10422d0773d92102da3
SHA512

86c9e7679de0f45d27678e4145b2b12b5d713a5258b3b1aa76f64a733528d372bbc41cada102c583a59bc3eaa6d3fd7154844dfd57c8fc1a90926299f2c9f40e
SSDEEP

3072:0V5J7ftwoflUgXeenxV6FUhRlugpJ+oUfgYE5G+aWqQzrj6a71fHkP2HzdhZ9vWP:E7fapZ4Oef+NE5Hnua7CY5hA

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1300	regsvr32mgr.exe
2976	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2368	regsvr32.exe
2368	regsvr32.exe
1300	regsvr32mgr.exe
1300	regsvr32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1300-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1300-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-42-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1300-20-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/1300-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1300-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1300-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1300-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1300-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-72-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-83-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2976-620-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\MCESidebarCtrl.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\networkinspection.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\JSProfilerCore.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEDAO.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextService.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89EE-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupOpType"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A0B-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0C-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A11-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A06-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A12-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89EE-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89F9-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupFeature"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89F0-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89EE-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A09-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A09-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A10-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A07-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupUserInterface"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A07-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89FB-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89EF-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A09-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A06-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A06-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A13-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89F9-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89ED-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89EF-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89EE-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.User\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A08-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0F-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A13-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89F0-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A0A-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89F0-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89EA-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C8A14-5C36-11D5-ABAF-00B0D02332EB}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A11-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupMultiMedia"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A11-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A06-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0D-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89FB-5C36-11D5-ABAF-00B0D02332EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89EC-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupFeatureLog"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A0B-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C8A14-5C36-11D5-ABAF-00B0D02332EB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0f69bf9a22ec4cd9cac60d64ea2ddeff_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777C8A14-5C36-11D5-ABAF-00B0D02332EB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A07-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0A-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89F9-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A0D-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0E-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A01-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89EE-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A0F-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89ED-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89EF-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89FB-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C89F0-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupFeatureLogs"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A08-5C36-11D5-ABAF-00B0D02332EB}\TypeLib\ = "{777C8A14-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A12-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A10-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0E-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777C8A13-5C36-11D5-ABAF-00B0D02332EB}\ = "ISetupRebootable"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A0F-5C36-11D5-ABAF-00B0D02332EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C8A13-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777C89F9-5C36-11D5-ABAF-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPW.User.1\CLSID\ = "{777C8A16-5C36-11D5-ABAF-00B0D02332EB}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2976	WaterMark.exe
2976	WaterMark.exe
2976	WaterMark.exe
2976	WaterMark.exe
2976	WaterMark.exe
2976	WaterMark.exe
2976	WaterMark.exe
2976	WaterMark.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	WaterMark.exe
Token: SeDebugPrivilege	1904	svchost.exe
Token: SeDebugPrivilege	2976	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1300	regsvr32mgr.exe
2976	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 1464 wrote to memory of 2368	1464	regsvr32.exe	30
PID 2368 wrote to memory of 1300	2368	regsvr32.exe	31
PID 2368 wrote to memory of 1300	2368	regsvr32.exe	31
PID 2368 wrote to memory of 1300	2368	regsvr32.exe	31
PID 2368 wrote to memory of 1300	2368	regsvr32.exe	31
PID 1300 wrote to memory of 2976	1300	regsvr32mgr.exe	32
PID 1300 wrote to memory of 2976	1300	regsvr32mgr.exe	32
PID 1300 wrote to memory of 2976	1300	regsvr32mgr.exe	32
PID 1300 wrote to memory of 2976	1300	regsvr32mgr.exe	32
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 2732	2976	WaterMark.exe	33
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 2976 wrote to memory of 1904	2976	WaterMark.exe	34
PID 1904 wrote to memory of 256	1904	svchost.exe	1
PID 1904 wrote to memory of 256	1904	svchost.exe	1
PID 1904 wrote to memory of 256	1904	svchost.exe	1
PID 1904 wrote to memory of 256	1904	svchost.exe	1
PID 1904 wrote to memory of 256	1904	svchost.exe	1
PID 1904 wrote to memory of 332	1904	svchost.exe	2
PID 1904 wrote to memory of 332	1904	svchost.exe	2
PID 1904 wrote to memory of 332	1904	svchost.exe	2
PID 1904 wrote to memory of 332	1904	svchost.exe	2
PID 1904 wrote to memory of 332	1904	svchost.exe	2
PID 1904 wrote to memory of 380	1904	svchost.exe	3
PID 1904 wrote to memory of 380	1904	svchost.exe	3
PID 1904 wrote to memory of 380	1904	svchost.exe	3
PID 1904 wrote to memory of 380	1904	svchost.exe	3
PID 1904 wrote to memory of 380	1904	svchost.exe	3
PID 1904 wrote to memory of 388	1904	svchost.exe	4
PID 1904 wrote to memory of 388	1904	svchost.exe	4
PID 1904 wrote to memory of 388	1904	svchost.exe	4
PID 1904 wrote to memory of 388	1904	svchost.exe	4
PID 1904 wrote to memory of 388	1904	svchost.exe	4
PID 1904 wrote to memory of 428	1904	svchost.exe	5
PID 1904 wrote to memory of 428	1904	svchost.exe	5
PID 1904 wrote to memory of 428	1904	svchost.exe	5
PID 1904 wrote to memory of 428	1904	svchost.exe	5
PID 1904 wrote to memory of 428	1904	svchost.exe	5
PID 1904 wrote to memory of 472	1904	svchost.exe	6
PID 1904 wrote to memory of 472	1904	svchost.exe	6
PID 1904 wrote to memory of 472	1904	svchost.exe	6
PID 1904 wrote to memory of 472	1904	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1124
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:308
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1192
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:236
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:996
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:664
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1536
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2592
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2624
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0f69bf9a22ec4cd9cac60d64ea2ddeff_JaffaCakes118.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\0f69bf9a22ec4cd9cac60d64ea2ddeff_JaffaCakes118.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2732
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
134KB

MD5
4f07970d754d54c05c984c1bd147fccc

SHA1
f86e316175cb35b75854264a517a3c897c9b7be4

SHA256
2df5d18f52083214ef1b63ad3321bcbd687a71249dd9ed8c918f53d95b94441b

SHA512
96aeff2b81a0113f8cc718bafc9be1ddac97b03eee39a432c8ec8e32f57174c7d98874596ef9d652cede4ff9cd537e99f21fc801ab9f46335eb30c0fecf29737

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
130KB

MD5
aee4f6a9505949f6e73180a40b39af61

SHA1
1dfc8eaaad719c156b5f70524b1008a862460ad2

SHA256
6033c6ade33c0236b2bec709b284ba9f21f6d4e1fe30a92c48f39e85632547dd

SHA512
d684598c727a6f7b7a3d432e8ac3fb243bd34e1184f35e23be6c3ac7acadfb406d09c89ba019b7621debee683580705d83a5740ff99e35786be16979921c668e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
60KB

MD5
f5383b8d76b434cd45caad3697c5acc7

SHA1
36736c3eda9aeb4d0b5aca229865b62190b73da5

SHA256
eac31cbfe560c4bdf1a3b859862b034585962c8fed6bfbdd8e6bdb710abc3fc8

SHA512
0f259ef90e3c3bdf398508552edaadaf48ae517204c3c8094404b712d5613abd75fab120ea3c4c0a0df44092475cbff0a037c39c757f8851adda17d673d8d0ec

Download Submit
memory/1300-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-18-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1300-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1300-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-29-0x0000000000050000-0x0000000000084000-memory.dmp

Filesize
208KB

Download
memory/1904-93-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1904-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1904-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1904-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1904-90-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1904-95-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1904-94-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1904-92-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/1904-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2368-14-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/2368-1-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2732-53-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2732-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2732-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2732-62-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2732-367-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2732-60-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2732-55-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2732-59-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2732-54-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2732-47-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2976-40-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2976-83-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2976-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2976-41-0x00000000770CF000-0x00000000770D0000-memory.dmp

Filesize
4KB

Download
memory/2976-89-0x00000000770CF000-0x00000000770D0000-memory.dmp

Filesize
4KB

Download
memory/2976-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2976-71-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2976-620-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2976-72-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2976-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download